Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 10 replies
  • Answers 3 answers
  • Subscribers 42 subscribers
  • Views 11960 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

LAN Clients unable to receive External NTP Server Time

Brad Peter

Hello,

Recently moved from UTM to XG and I'm encountering an issue where my LAN clients are unable to receive NTP replied from NTP servers.  I did not have this issue in UTM.

My general rule setup is to allow any LAN client unrestricted access to the internet.  When viewing the logs, port 123 traffic is allowed outbound, but does not appear that any client is recieiving the reply.  I have no other known issues connecting to the internet for any other services.  The Sophos XG appliance is able to get accurate time from NTP servers.

Are there any configurations I should be making to allow NTP for the LAN clients?

Thanks!

Brad



This thread was automatically locked due to age.
Parents
  • 0

    I stumbled accross this when setting up a SG firewall in a new customers network.

    I had the same issue with NTP server access because the PDC could not access any external NTP server. Firewall rules were in place.

     

    After a while I found out that someone misconfigured the internal server with PDC FSMO role with a bad w32tm command line setting some time ago.

    The problem is the AnnounceFlag 0x8 behind the IP address of the external NTP server. The 0x8 setting sets Windows Time to use client mode.

    w32tm /config /manualpeerlist:NTP_server_IP_Address,0x8

     

    Solution:

    do not use 0x1 or 0,8 or whatever, just use the IP addresses, no flags.

    Simply enter the correct command on the PDC to overwrite the current setting

    e.g.

    w32tm /config /manualpeerlist:"0.de.pool.ntp.org 1.de.pool.ntp.org 2.de.pool.ntp.org" /syncfromflags:manual /reliable:yes /update

    restart Windows Time service.

     

    Update: 02 June 2020

    At an other customer I had a similar problem. NTP was configured correctly in Windows. But between Sophos SG and WAN was a HP OfficeConnect 1920s Layer2 Switch. The Switch has a Anti-DoS feature enabled by default called Automatic Denial-of-Service (DoS) protection

    A Sub-feature is:
    Prevent UDP Blat Attack

    This drops packets that have a UDP source port equal to the UDP destination port. That is what matches to UDP Communication. So there the switch broke NTP. After disabling UDP Blat Attack NTP was working.

Reply
  • 0

    I stumbled accross this when setting up a SG firewall in a new customers network.

    I had the same issue with NTP server access because the PDC could not access any external NTP server. Firewall rules were in place.

     

    After a while I found out that someone misconfigured the internal server with PDC FSMO role with a bad w32tm command line setting some time ago.

    The problem is the AnnounceFlag 0x8 behind the IP address of the external NTP server. The 0x8 setting sets Windows Time to use client mode.

    w32tm /config /manualpeerlist:NTP_server_IP_Address,0x8

     

    Solution:

    do not use 0x1 or 0,8 or whatever, just use the IP addresses, no flags.

    Simply enter the correct command on the PDC to overwrite the current setting

    e.g.

    w32tm /config /manualpeerlist:"0.de.pool.ntp.org 1.de.pool.ntp.org 2.de.pool.ntp.org" /syncfromflags:manual /reliable:yes /update

    restart Windows Time service.

     

    Update: 02 June 2020

    At an other customer I had a similar problem. NTP was configured correctly in Windows. But between Sophos SG and WAN was a HP OfficeConnect 1920s Layer2 Switch. The Switch has a Anti-DoS feature enabled by default called Automatic Denial-of-Service (DoS) protection

    A Sub-feature is:
    Prevent UDP Blat Attack

    This drops packets that have a UDP source port equal to the UDP destination port. That is what matches to UDP Communication. So there the switch broke NTP. After disabling UDP Blat Attack NTP was working.

Children
No Data
Unfiltered HTML